A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
Essential information
- Published
- 26/01/2026 20:30
- Modified
- 27/01/2026 07:34
- Tags
- 2026-01-26 CVE-2020-16040 apt biopass rat c&c framework china-aligned darknimbus gambling government grayrabbit holodonut jscript lolbins mkdoor peckbirdy wizardnet
- Related entities
- 1 vulnerabilities (cve), 21 observables, 1 intrusion sets (apt), 19 techniques (mitre), 7 malware, 33 others
Description
PeckBirdy is a sophisticated JScript-based C&C framework employed by China-aligned APT groups since 2023. It exploits LOLBins across multiple environments to deliver advanced backdoors, targeting gambling industries and Asian government entities. The framework's versatility allows it to be used in various attack stages, from watering-hole control to lateral movement and C&C operations. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate coordinated threat group activity using PeckBirdy. The framework is complemented by two modular backdoors, HOLODONUT and MKDOOR, which extend its attack capabilities. PeckBirdy's design enables flexible deployment and execution across different environments, including browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET.